diff options
| author | Joas Schilling <coding@schilljs.com> | 2023-04-24 13:10:55 +0200 |
|---|---|---|
| committer | Joas Schilling <coding@schilljs.com> | 2023-04-24 13:10:55 +0200 |
| commit | 2bef32969f4f00cec4bfed1592b15e4372248458 (patch) | |
| tree | ea489a253903df4b13befa38e6d9ecdc71c88f8d | |
| parent | e5693a79038d26426a66416b73340c1646737ce7 (diff) | |
fix(controllers): Migrate to proper "multiple bruteforce protections" support
Signed-off-by: Joas Schilling <coding@schilljs.com>
| -rw-r--r-- | lib/Controller/RoomController.php | 9 | ||||
| -rw-r--r-- | lib/Controller/SignalingController.php | 13 | ||||
| -rw-r--r-- | lib/Middleware/InjectionMiddleware.php | 26 |
3 files changed, 26 insertions, 22 deletions
diff --git a/lib/Controller/RoomController.php b/lib/Controller/RoomController.php index 23e7953ff..8d4f9d2a4 100644 --- a/lib/Controller/RoomController.php +++ b/lib/Controller/RoomController.php @@ -318,15 +318,14 @@ class RoomController extends AEnvironmentAwareController { * @return DataResponse */ #[BruteForceProtection(action: 'talkRoomToken')] + #[BruteForceProtection(action: 'talkSipBridgeSecret')] public function getSingleRoom(string $token): DataResponse { try { $isSIPBridgeRequest = $this->validateSIPBridgeRequest($token); } catch (UnauthorizedException $e) { - $ip = $this->request->getRemoteAddress(); - $action = 'talkSipBridgeSecret'; - $this->throttler->sleepDelay($ip, $action); - $this->throttler->registerAttempt($action, $ip); - return new DataResponse([], Http::STATUS_UNAUTHORIZED); + $response = new DataResponse([], Http::STATUS_UNAUTHORIZED); + $response->throttle(['action' => 'talkSipBridgeSecret']); + return $response; } // The SIP bridge only needs room details (public, sip enabled, lobby state, etc) diff --git a/lib/Controller/SignalingController.php b/lib/Controller/SignalingController.php index bff25ff8e..4fb627b85 100644 --- a/lib/Controller/SignalingController.php +++ b/lib/Controller/SignalingController.php @@ -61,7 +61,6 @@ class SignalingController extends OCSController { public const EVENT_BACKEND_SIGNALING_ROOMS = self::class . '::signalingBackendRoom'; - private IConfig $serverConfig; private Config $talkConfig; private \OCA\Talk\Signaling\Manager $signalingManager; private TalkSession $session; @@ -74,7 +73,6 @@ class SignalingController extends OCSController { private IEventDispatcher $dispatcher; private ITimeFactory $timeFactory; private IClientService $clientService; - private IThrottler $throttler; private LoggerInterface $logger; private ?string $userId; @@ -99,7 +97,6 @@ class SignalingController extends OCSController { ?string $UserId, ) { parent::__construct($appName, $request); - $this->serverConfig = $serverConfig; $this->talkConfig = $talkConfig; $this->signalingManager = $signalingManager; $this->session = $session; @@ -112,7 +109,6 @@ class SignalingController extends OCSController { $this->dispatcher = $dispatcher; $this->timeFactory = $timeFactory; $this->clientService = $clientService; - $this->throttler = $throttler; $this->logger = $logger; $this->userId = $UserId; } @@ -151,16 +147,15 @@ class SignalingController extends OCSController { * @return DataResponse */ #[BruteForceProtection(action: 'talkRoomToken')] + #[BruteForceProtection(action: 'talkRecordingSecret')] public function getSettings(string $token = ''): DataResponse { $isRecordingRequest = false; if (!empty($this->request->getHeader('Talk-Recording-Random')) || !empty($this->request->getHeader('Talk-Recording-Checksum'))) { if (!$this->validateRecordingBackendRequest('')) { - $ip = $this->request->getRemoteAddress(); - $action = 'talkRecordingSecret'; - $this->throttler->sleepDelay($ip, $action); - $this->throttler->registerAttempt($action, $ip); - return new DataResponse([], Http::STATUS_UNAUTHORIZED); + $response = new DataResponse([], Http::STATUS_UNAUTHORIZED); + $response->throttle(['action' => 'talkRecordingSecret']); + return $response; } $isRecordingRequest = true; diff --git a/lib/Middleware/InjectionMiddleware.php b/lib/Middleware/InjectionMiddleware.php index 67e10d566..e697cc201 100644 --- a/lib/Middleware/InjectionMiddleware.php +++ b/lib/Middleware/InjectionMiddleware.php @@ -39,6 +39,7 @@ use OCA\Talk\TalkSession; use OCA\Talk\Webinary; use OCP\AppFramework\Controller; use OCP\AppFramework\Http; +use OCP\AppFramework\Http\Attribute\BruteForceProtection; use OCP\AppFramework\Http\RedirectToDefaultAppResponse; use OCP\AppFramework\Http\Response; use OCP\AppFramework\Middleware; @@ -263,15 +264,24 @@ class InjectionMiddleware extends Middleware { if ($exception instanceof RoomNotFoundException || $exception instanceof ParticipantNotFoundException) { if ($controller instanceof OCSController) { - $isBruteForceProtected = $this->reflector->hasAnnotation('BruteForceProtection'); - if ($isBruteForceProtected) { - $ip = $this->request->getRemoteAddress(); - $action = 'talkRoomToken'; - $this->throttler->sleepDelay($ip, $action); - $this->throttler->registerAttempt($action, $ip, [ - 'token' => $this->request->getParam('token') ?? '', - ]); + $reflectionMethod = new \ReflectionMethod($controller, $methodName); + $attributes = $reflectionMethod->getAttributes(BruteForceProtection::class); + + if (!empty($attributes)) { + foreach ($attributes as $attribute) { + /** @var BruteForceProtection $protection */ + $protection = $attribute->newInstance(); + $action = $protection->getAction(); + + if ('talkRoomToken' === $action) { + $this->throttler->sleepDelay($this->request->getRemoteAddress(), $action); + $this->throttler->registerAttempt($action, $this->request->getRemoteAddress(), [ + 'token' => $this->request->getParam('token') ?? '', + ]); + } + } } + throw new OCSException('', Http::STATUS_NOT_FOUND); } |